CVE-2017-7905

Name of the Vulnerable Software and Affected Versions General Electric (GE) Multilin SR 750 Feeder Protection Relay versions prior to 7.47 General Electric (GE) Multilin SR 760 Feeder Protection Relay versions prior to 7.47 General Electric (GE) Multilin SR 469 Motor Protection Relay versions prior to 5.23 General Electric (GE) Multilin SR 489 Generator Protection Relay versions prior to 4.06 General Electric (GE) Multilin SR 745 Transformer Protection Relay versions prior to 5.23 General Electric (GE) Multilin SR 369 Motor Protection Relay all versions General Electric (GE) Multilin Universal Relay versions prior to 6.0 and including 6.0 General Electric (GE) Multilin URplus (D90, C90, B95) all versions

Description A Weak Cryptography for Passwords issue was discovered, where ciphertext versions of user passwords were created with a non-random initialization vector, leaving them susceptible to dictionary attacks. The ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.

Recommendations For General Electric (GE) Multilin SR 750 Feeder Protection Relay versions prior to 7.47, update to version 7.47 or later. For General Electric (GE) Multilin SR 760 Feeder Protection Relay versions prior to 7.47, update to version 7.47 or later. For General Electric (GE) Multilin SR 469 Motor Protection Relay versions prior to 5.23, update to version 5.23 or later. For General Electric (GE) Multilin SR 489 Generator Protection Relay versions prior to 4.06, update to version 4.06 or later. For General Electric (GE) Multilin SR 745 Transformer Protection Relay versions prior to 5.23, update to version 5.23 or later. For General Electric (GE) Multilin SR 369 Motor Protection Relay, contact the manufacturer for a fix as all versions are affected. For General Electric (GE) Multilin Universal Relay versions prior to 6.0 and including 6.0, update to a version later than 6.0. For General Electric (GE) Multilin URplus (D90, C90, B95), contact the manufacturer for a fix as all versions are affected.